oci-copy: rework SBOM generation

chmeliik · chmeliik · commit 8e99de32d607 · 2025-01-23T14:34:12.000+01:00
Use scripts from https://github.com/konflux-ci/build-tasks-dockerfiles instead of the previous bash script. Signed-off-by: Adam Cmiel <acmiel@redhat.com>
diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml
@@ -294,38 +294,25 @@ spec:
           add:
             - SETFCAP
     - name: sbom-generate
-      image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
+      image: quay.io/acmiel-test/sbom-utility-scripts:spdx-support
       workingDir: /var/workdir
       script: |
         #!/bin/bash
-        cat >sbom-cyclonedx.json <<EOL
-        {
-            "\$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
-            "bomFormat": "CycloneDX",
-            "specVersion": "1.5",
-            "version": 1,
-            "components": []
-            "metadata": {
-              "component": {
-                "type": "file",
-                "name": "${IMAGE%:*}@$(cat "$(results.IMAGE_DIGEST.path)")"
-              }
-            }
-        }
-        EOL
+        set -euo pipefail
 
-        for varfile in "/var/workdir"/vars/*; do
-          echo "Reading $varfile"
-          # shellcheck source=/dev/null
-          source $varfile
+        IMAGE_URL=$(cat "$(results.IMAGE_URL.path)")
+        IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)")
+        oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE"
 
-          ENCODED_URL=$(echo "${OCI_SOURCE}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          ENCODED_FILENAME=$(echo "${OCI_FILENAME}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          purl="pkg:generic/${ENCODED_FILENAME}?download_url=${ENCODED_URL}&checksum=sha256:${OCI_ARTIFACT_DIGEST}"
+        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" -o sbom-cyclonedx.json
 
-          echo "Recording purl $purl"
-          yq -oj -i '.components += [ {"purl": "'$purl'", "type": "file", "name": "'$OCI_FILENAME'", "hashes": [{"alg": "SHA-256", "content": "'$OCI_ARTIFACT_DIGEST'"}], "externalReferences": [{"type": "distribution", "url": "'$OCI_SOURCE'"}]} ]' sbom-cyclonedx.json
-        done
+        python3 /scripts/add_image_reference.py \
+          --image-url "$IMAGE_URL" \
+          --image-digest "$IMAGE_DIGEST" \
+          --input-file sbom-cyclonedx.json \
+          --output-file /tmp/sbom-cyclonedx.tmp.json
+
+        mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json
     - name: upload-sbom
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
       workingDir: /var/workdir
diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml
@@ -274,37 +274,24 @@ spec:
           name: varlibcontainers
       workingDir: $(workspaces.source.path)
     - name: sbom-generate
-      image: quay.io/konflux-ci/yq:latest@sha256:93bb15cff64b708263055a5814b24a0b450d8724b86a7e5206396f25d81fcc21
+      image: quay.io/acmiel-test/sbom-utility-scripts:spdx-support
       script: |
         #!/bin/bash
-        cat >sbom-cyclonedx.json <<EOL
-        {
-            "\$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
-            "bomFormat": "CycloneDX",
-            "specVersion": "1.5",
-            "version": 1,
-            "components": []
-            "metadata": {
-              "component": {
-                "type": "file",
-                "name": "${IMAGE%:*}@$(cat "$(results.IMAGE_DIGEST.path)")"
-              }
-            }
-        }
-        EOL
+        set -euo pipefail
 
-        for varfile in "$(workspaces.source.path)"/vars/*; do
-          echo "Reading $varfile"
-          # shellcheck source=/dev/null
-          source $varfile
+        IMAGE_URL=$(cat "$(results.IMAGE_URL.path)")
+        IMAGE_DIGEST=$(cat "$(results.IMAGE_DIGEST.path)")
+        oci_copy_file_path="$(pwd)/source/$OCI_COPY_FILE"
 
-          ENCODED_URL=$(echo "${OCI_SOURCE}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          ENCODED_FILENAME=$(echo "${OCI_FILENAME}" | python3 -c 'import sys; import urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip(), safe=":/"))')
-          purl="pkg:generic/${ENCODED_FILENAME}?download_url=${ENCODED_URL}&checksum=sha256:${OCI_ARTIFACT_DIGEST}"
+        python3 /scripts/sbom_for_oci_copy_task.py "$oci_copy_file_path" -o sbom-cyclonedx.json
 
-          echo "Recording purl $purl"
-          yq -oj -i '.components += [ {"purl": "'$purl'", "type": "file", "name": "'$OCI_FILENAME'", "hashes": [{"alg": "SHA-256", "content": "'$OCI_ARTIFACT_DIGEST'"}], "externalReferences": [{"type": "distribution", "url": "'$OCI_SOURCE'"}]} ]' sbom-cyclonedx.json
-        done
+        python3 /scripts/add_image_reference.py \
+          --image-url "$IMAGE_URL" \
+          --image-digest "$IMAGE_DIGEST" \
+          --input-file sbom-cyclonedx.json \
+          --output-file /tmp/sbom-cyclonedx.tmp.json
+
+        mv /tmp/sbom-cyclonedx.tmp.json sbom-cyclonedx.json
       workingDir: $(workspaces.source.path)
     - name: upload-sbom
       image: quay.io/konflux-ci/appstudio-utils:48c311af02858e2422d6229600e9959e496ddef1@sha256:91ddd999271f65d8ec8487b10f3dd378f81aa894e11b9af4d10639fd52bba7e8
